jtashaffer
Member
On a PLC controlled system should the E-Stop kill all power including the control power (PLC) or just what the plc is controlling.
E-Stops
- Thread starter jtashaffer
- Start date
I would not kill the power supply that operates the PLC, or the control power that operates the PLC INPUTs. If the inputs are dead, the PLC is "brain-dead" because it no longer knows what is going on in the real world - like if you suddenly lost your vision, hearing, and touch. Generally an E-Stop can kill the PLC Output power (or only selected outputs) and still be safe.
sthompson
Lifetime Supporting Member + Moderator
I concur with everything Lancie pointed out. I have worked on PLC Systems where they killed all the I/O with an E-Stop. It is problematic, because you can't display which E-Stop is pushed on an HMI etc. I even commissioned a system once with a Red Lion Display to tell the Operator which E-Stop was pushed. However, it was on an Output Card that was de-energized when the E-Stop was pushed. (Brilliant!) I had to do a fair bit of rewiring to get it to work as intended.
I only de-energize the Outputs for the reasons both Lancie and I pointed out. As well, if you are running VFDs, a Contactor in the Motor Leads to instantly kill the power to the motors is something to consider. On some of our machines, we also have an Air Dump Valve that exhausts all the air from the system when the MCR Relay controlled by the E-Stops drops out. It is a judgment call as to whether it is safer to leave the air on, or dump it on a machine.
Stu.....
I only de-energize the Outputs for the reasons both Lancie and I pointed out. As well, if you are running VFDs, a Contactor in the Motor Leads to instantly kill the power to the motors is something to consider. On some of our machines, we also have an Air Dump Valve that exhausts all the air from the system when the MCR Relay controlled by the E-Stops drops out. It is a judgment call as to whether it is safer to leave the air on, or dump it on a machine.
Stu.....
PeterW
Member
An E-Stop should kill all motive power, it can be done by removing power from the outputs, it depends on the level of safety you need.
I would never kill the PLC, it should have an auxiliary contact from the E-Stops or E-Stop Contactors though, to enable the program to shut down control and identify the fault.
I would never kill the PLC, it should have an auxiliary contact from the E-Stops or E-Stop Contactors though, to enable the program to shut down control and identify the fault.
boswellw
Member
On our machinery we have an E-Stop contactor/Safety relay which cuts out the 24V supply rail to solenoids, motors etc. etc. There is a secondary 24V supply on certain machines that does not get cut out should you require a solenoid to be switched in a specific state for safe cut-out.
All air gets exhausted from our systems once an E-Stop is pressed. It's up to the programming of the PLC to ensure that all outputs are reset.
Another thing: Should you cut-out the power to the PLC you won't have any feed-back to your HMI that the E-stop is pressed, and you'll have a rather tricky recovery process after that.
All air gets exhausted from our systems once an E-Stop is pressed. It's up to the programming of the PLC to ensure that all outputs are reset.
Another thing: Should you cut-out the power to the PLC you won't have any feed-back to your HMI that the E-stop is pressed, and you'll have a rather tricky recovery process after that.
michealthomas
Member
hi,
just a thought, what is the purpose of the e-stop for starters? is there any need to put a stop to all the outputs? What we have on the machinery ad equipment were i work is a simple pilz relay which when an estop is hit drops out a main contactor. This contactor switches 3 phase power to the top of indvidual motor cicuirt breakers. Also our estops have 3 lots of contacts. 2 nc for the pilz relay and one no for indication back to out plc which is then displayed on our hmi. Weigh up what you need.
just a thought, what is the purpose of the e-stop for starters? is there any need to put a stop to all the outputs? What we have on the machinery ad equipment were i work is a simple pilz relay which when an estop is hit drops out a main contactor. This contactor switches 3 phase power to the top of indvidual motor cicuirt breakers. Also our estops have 3 lots of contacts. 2 nc for the pilz relay and one no for indication back to out plc which is then displayed on our hmi. Weigh up what you need.
brucechase
Member
The only proper way to implement a safety system is to perform a risk assessment. This should be done with a minimum of the design engineer, a safety specialist, a maintenance person, and a machine operator.
DO NOT just make judgement calls on your own. If you design a system in which someone is hurt (or worse), then you could be personally liable.
Each and every motion should be analyzed for how it affects the person. There are several sites that explain what you should do and give examples of how to do the risk assessment.
As a side rant, I have gotten many machines from different manufacturers (no, not some fly by night company) that do not know how to implement a safe design. I have seen regular retroflective photoeyes used as a light curtain for e-stops, ice cube relays for master control relays, e-stops button that when released restarts the machine immediately, programmed e-stops, plus many more. I just wish I could refuse these machines, but that is not an option. The only solution is to redo the entire machine after we get it here.
DO NOT just make judgement calls on your own. If you design a system in which someone is hurt (or worse), then you could be personally liable.
Each and every motion should be analyzed for how it affects the person. There are several sites that explain what you should do and give examples of how to do the risk assessment.
As a side rant, I have gotten many machines from different manufacturers (no, not some fly by night company) that do not know how to implement a safe design. I have seen regular retroflective photoeyes used as a light curtain for e-stops, ice cube relays for master control relays, e-stops button that when released restarts the machine immediately, programmed e-stops, plus many more. I just wish I could refuse these machines, but that is not an option. The only solution is to redo the entire machine after we get it here.
Bruce hit the nail on the head: Risk Assessment.
While many systems can safely kill all outputs, are there any unexpected consequences in doing this? Do you need to do one thing and verify it has completed prior to doing something else? Are the sensors/ logic such that if the sensor fails, wire becomes disconnected/ broken, etc., does it Fail Safe? Risk Assessment typically is not a five minute task done at the end of the project but an on going part of the design, build and commissioning/ verification process.
While many systems can safely kill all outputs, are there any unexpected consequences in doing this? Do you need to do one thing and verify it has completed prior to doing something else? Are the sensors/ logic such that if the sensor fails, wire becomes disconnected/ broken, etc., does it Fail Safe? Risk Assessment typically is not a five minute task done at the end of the project but an on going part of the design, build and commissioning/ verification process.
jtashaffer
Member
OP
I was just wondering. The program I wrote would just kill all outputs, when the estop is reset, you have to start every thing back up. But my master electrician said it should kill all control power and the machines outputs by code.
OkiePC
Lifetime Supporting Member
The program you wrote can do that, but the power should be removed from the devices electrically, not just by your PLC program.
Follow the advice given by Bruce and Peter. Do a safety assessment. Don't rely on a PLC program to handle E-Stops. The PLC can monitor E-Stops via separate contacts from the safety relay(s) and Safety switches/E-Stop buttons with auxillary contacts. This is just for annunciation and to allow the program to handle the fact that it will no longer be able to control the machine. The safety system needs to be hardwired using properly rated components.
The Plc Kid
Member
Primarily @ and in addition to post # 3
Putting in a isolation contactor to drop power to motors on estop is not a good solution for many reasons.
# 1 depending on the driven load and it's inertia removing the drive from the motor by a physical means could cause that load to hurt someone. In many cases it is better to do an aggressive decel and having the braking in place to handle it.
#2 Opening the connection between a motor and a drive by means of a contactor on estop condition will blow your IGBT's in the drive if the drive is still enabled and conducting when this contactor opens. The contactor can be timed to prevent this depending on the level of safety needed. Most of the time a method of braking is best to control your load. Opening a contactor with no other actions cause you to lose control of your load.
At the end of the day it depends and all equipment is different.Hence the need for a professional safety assesment as suggested by previous posters.
Putting in a isolation contactor to drop power to motors on estop is not a good solution for many reasons.
# 1 depending on the driven load and it's inertia removing the drive from the motor by a physical means could cause that load to hurt someone. In many cases it is better to do an aggressive decel and having the braking in place to handle it.
#2 Opening the connection between a motor and a drive by means of a contactor on estop condition will blow your IGBT's in the drive if the drive is still enabled and conducting when this contactor opens. The contactor can be timed to prevent this depending on the level of safety needed. Most of the time a method of braking is best to control your load. Opening a contactor with no other actions cause you to lose control of your load.
At the end of the day it depends and all equipment is different.Hence the need for a professional safety assesment as suggested by previous posters.
The Plc Kid
Member
Most newer drives (less than 3 years old) have a safe off option which isolates the IGBT's from the motor circuit and is not damaging to drive components and is rated to safty level of SIL 3. This trumps the need for a isolation contactor.
Rube
Member
Bruce is right about assessing the risk. Depending on what type of system you're controlling will come into play as well. A conveyor system may have motors alone or it may have additional "movers" like diverters or pushers. Machines may have other energies besides the electrical that may need to be affected: air, hydraulic, etc.
On our conveyor systems, we have a PLC card or cards that lose power if what they control needs to be stopped. we also have an input to the PLC to turn those ouputs off programmatically.
On our conveyor systems, we have a PLC card or cards that lose power if what they control needs to be stopped. we also have an input to the PLC to turn those ouputs off programmatically.
It has been said many times, that you should program as if the PLC is the safety device AND wire as if the PLC will have all it outputs stuck on.
It sounds like what you have done the first part with your program.
"...by code"? I'm guessing that means "law", not PLC program code. He is probably right. When it come time to do inspection, it is often easier to look at the wiring diagram to see that there is a single switch that turns off all the dangerous outputs.
BTW, control power does not mean power to PLC (CPU) and inputs. Power for outputs on PLCs is always a separate terminal than the power for the PLC CPU.
James Mcquade
Member
I agree with the risk assesment, but we also use NFPA 79,
"Electrical Standard for Industrial Machinery".
It discusses the basics of E-stops, what it kills, and various
what if situations.
Typically, we kill all I/O power. We then asscess what has happened, power up the mcr which restores power to the I/o.
We also put in a time delay for powering up before any outputs are turned on. We then manually reset the machine based on what the machine is since each is different. And then inspect the machine again before going into auto cycle.
Each machine is different. Risk assesments must be done on each machine and even done everytime something unexpected occurs.
You must always ask the what if question. A rule that we use is, if you can think of it, no matter how rediculus it is, you better plan for it.
regards,
james
"Electrical Standard for Industrial Machinery".
It discusses the basics of E-stops, what it kills, and various
what if situations.
Typically, we kill all I/O power. We then asscess what has happened, power up the mcr which restores power to the I/o.
We also put in a time delay for powering up before any outputs are turned on. We then manually reset the machine based on what the machine is since each is different. And then inspect the machine again before going into auto cycle.
Each machine is different. Risk assesments must be done on each machine and even done everytime something unexpected occurs.
You must always ask the what if question. A rule that we use is, if you can think of it, no matter how rediculus it is, you better plan for it.
regards,
james
Similar Topics
Hey guys. currently running an automation system that includes 60 Panasonic servo drives with STO function. Omron PLC tied into the safety system...
Hello,
I have a compact Logix plc and I have been task with configuring alarms into our SCADA when an Analog signal stops moving.
The analog...
Have a customer that has a running 1756-l83es, communicating to redundant ABCIP IO servers for Wonderware 2020. This configuration has been...
Hi. I'm trying to update the firmware on some ControlLogix's. They're being polled by an IGS driver. After the upgrade, my floats and integers...
Hi all. This is my first time working with the CCW software, and I'm using the CCW developer edition version 21. The PLC is a Micro870...
